A VPN or Virtual Private Network is a form of network virtualization commonly used by a remote device in order to simulate being on a private network. This defeats the purpose for enterprises to run costly private lines from one location to another in order for them to be apart of the same private network because virtual private networks utilize the internet.
Businesses rely on VPNs for reasons such as accessing network drives, network security management, device management, and for countless other purposes. The primary reason a typical consumer may want to utilize a VPN could be for something such as secure browsing. Using public wifi means that your internet traffic is going through the public network you are currently connected to. A common problem is that these public networks have poor security and malicious hackers waiting to capture your data.
You may be wondering, if the VPN utilizes the internet than doesn’t your traffic go through the public network to reach the VPN? And you would be right to wonder how this makes things more secure. The reason this is secure is due to encapsulation or otherwise known as tunneling. For a VPN what occurs is tunneling at layer 2 or 3 of the OSI model which are the data link layer and the internet layer. Therefore, the packet created is encapsulated with a VPN header and then sent from one device then through the internet and to the other device. When the destination device receives this packet they then reverse the encapsulation process. This is referred to as tunneling because the data while in between both of these devices is unreadable or not understandable by the intermediary devices.
IPSec or Internet Protocol Security utilizes encapsulating security payload (ESP) and an authentication header (AH) protocol to provide a secure network protocol suite. Commonly used in VPNs with either tunneling mode or transport mode. The difference is that with tunneling mode the entire data packet will get encrypted by IPSec. With transport mode the only part of the data packet that will get encrypted is the message within the data packet. Transport mode is used for end-to-end communications and commonly used when another tunneling protocol such as GRE is used to first encapsulate the IP data packet; IPSec then protects the GRE tunnel packets. Tunnel mode is the default mode and used for site-to-site communications.
Layer 2 tunneling or L2TP is a tunneling protocol commonly used with another VPN security protocol such as IPSec. This protocol does not provide any encryption or confidentiality without assistance from another protocol. This tunnel would connect two L2TP enabled endpoints.
Point-to-point tunneling or PPTP creates a tunnel using generic routing encapsulation or GRE which again refers to encapsulating a data packet. For encryption PPTP uses Point-to-Point protocol or PPP to encrypt data between the connection. According to Wiki PPTP has been known to have many known security issues.
SSL(Secure Sockets Layer) and TLS (Transport Layer Security) VPN utilizes either the SSL or TLS protocol to provide a secure connection over the internet to establish a VPN connection with a web browser. This method utilizes E2EE (end-to-end encryption) to protect the data being transmitted between the endpoint device’s client software. Operating at the transport layer of the OSI model this means that traffic can be split for secure access to enterprise resources as well as unsecure for public resources.
OpenVPN is an open source VPN which uses a custom security protocol that utilizes SSL/TLS for key exchanges. Connections are made with point-to-point or site-to-site connections. The application allows for peers to authenticate each endpoint using pre-shared secret keys, certifications, or a username/password combination.
SSH while not designed to solely forward network traffic can be used as a VPN. This is because SSH utilizes a strong encryption method and has the ability to set a session as a SOCKS proxy. A client can send traffic through the SOCKS proxy on the local system and then use the SSH client to forward the traffic. While not necessarily a replacement for a full-fledged VPN this does create tunneling. The downside of this is that you must configure each application to use the SSH tunnel proxy. A valid reason to use SSH tunneling would be to secure http traffic or bypass a schools network policy on a specific application.